The recent Pegasus and #CatalanGate scandals have shown the huge risks at stake when people’s devices and communications are compromised without a legitimate and lawful reason. In Catalonia, a total of 65 direct victims, and thousands of collateral ones, were put under permanent surveillance with the Pegasus programme – spyware from the Israeli company NSO Group – for the past five years. In many regions of the world, this spyware was used to limit political dissent, expression, organisation and journalism. Despite the numerous examples showing that encryption must not be tampered with, the latest political debates and policy developments on encryption in Europe are highly concerning. That’s why the EDRi network found it imperative to revise our 2017 paper “Encryption Workarounds. A digital rights perspective” with updated accounts of the current political context.

What’s the political context?

The conversation around encryption is driven by the notion that investigations, and thereby law enforcement, are “going dark” because of encryption. In June 2021, Europol’s Executive Director, Catherine De Bolle and the district attorney of New York County, Cyrus R. Vance, Jr., described “unregulated encryption” as a “serious investigative challenge in virtually all areas of criminality” and that, “together with other privacy-enhancing technologies, is allowing for warrant-proof technology which increasingly impedes […] criminal investigations”.

Yet, this premise has been repeatedly questioned by many scholars and civil society actors. The law enforcement community itself has confirmed that encryption does not pose a big challenge in their investigations. The use of online services for a large number of daily activities, not just interpersonal communications, has substantially increased the amount of data potentially available to law enforcement which, in fact, leads us to a golden age of surveillance. The problem is not that investigative authorities are kept in the dark because of encryption, but rather that access to personal data by law enforcement bodies is not sufficiently regulated and EU Member States still refuse to comply with the high data protection and privacy standards set by the Court of Justice of the European Union.

It has never been so easy for the state to access people’s data and snoop on their private lives. A shady market has dramatically grown in the past decade to serve state actors with a large range of technological tools that enable a high level of intrusive and rights-threatening surveillance. A prolific, profit-driven market that Edward Snowden coined as an “out-of-control Insecurity Industry”, whose sole purpose is the production of vulnerability that already resulted in the deaths and detentions of journalists and human rights defenders.

Criticism is mounting in Europe as spyware scandals break one after the other. While the European Data Protection Supervisor called for a ban on Pegasus and similar modern spyware, the European Parliament launched a committee to investigate the use of Pegasus in Europe (PEGA). The European Commission Vice President Margaritis Schinas called for an EU approach to end the malicious use of hacking tools for political espionage against journalists and civil society. EDRi’s paper aims to contribute to this debate on future EU-wide rules against hacking.

So, the question you should be asking is why the EU want to take away your right to secure and private communication if crime investigations can still go on without the need to break encryption.

What’s new in EDRi’s position paper?

This paper reviews each state encryption-hacking method – or what we called previously “workaround” – and its singular impact on fundamental rights. For example, guessing the passphrase/password to access an encryption key is seemingly simple, but social engineering may conflict with the Charter of Fundamental Rights depending on the method used. 

We identify in the paper encryption hacking methods that are unacceptable in a democratic society given their severe and disproportionate interference with people’s fundamental rights and their far-reaching impacts on the integrity and security of encryption systems. We describe the hacking methods that state actors may use to get access to encrypted data and establish a list of compulsory, cumulative conditions under which these methods can be used. 

We then highlight the role of metadata in today’s criminal investigations, the lack of appropriate safeguards against its mass collection and retention and recall that metadata is just as sensitive as the actual content of the communications. Finally, we call for urgent reform of European States’ surveillance laws and policies and the regulation of unlawful state hacking practices.

What happens beyond the policy paper?

 In 2022, the European Commission proposed new law on tackling child sexual abuse online (CSAR) which threatens to turn each and every smartphone into a spying device. This is a direct attack on encryption. Spyware and attacks on encryption provide malicious actors and authoritarian regimes with tools of control on a silver plate. Breaking encryption in the EU would result in undermining encryption everywhere. The EU must do better! 

This paper offers solid evidence to decision-makers that there is no real need to intercept people’s private communications and that the consequences of doing so on people’s lives would be irreversible. The policy analysis and recommendations will feed into the strategy and actions of the EDRi-led Europe-wide movement that has come together to put pressure on the EU’s co-legislators, European Parliament and the Council, to stop EU’s attempts to scan every move we make by rejecting the CSAR proposal and upholding encryption.